“The manufacturing sector is the third most targeted sector for cyber-attacks; yet it is one of the least prepared and protected sectors of the economy”.
These are the findings of a report published by the Manufacturers organisation, the EEF, in partnership with insurance firm AIG and RUSI, the Royal United Services Institute.
Many cyber-incidents (those that are discovered) go unreported; however, there have been a number of notable attacks on manufacturing companies in the recent past that have been widely acknowledged:
At the end of 2014, a German steel mill suffered a cyber-attack. The attack caused the office network to become compromised and prevented the shutdown of the blast furnace itself, resulting in massive damage to the foundry; in 2017, an attack on the industrial control systems of the Saudi Arabian petrochemical company, designed to cause an explosion, failed – only because the developers of the malicious software made an error in the code, the attack still caused the system to shut down, but it did so it in a safe manner.
Both of these attacks, are thought to have been assisted by “insiders”, with extensive access to systems and information.
Report – Headlines
The EEF report found that:
48% of manufacturers polled said that they had been the victim of a cyber-incident and ½ of them had suffered financial loss or business disruption as a result of the incident;
35% of manufacturing businesses are not embracing digitisation where possible, due to cyber security concerns and are therefore missing possible business opportunity to their competitors, who have modernised;
41% of manufacturing don’t believe they can assess the cyber risk properly because of a lack of information and advice and 45% don’t believe that they have the right tools to do the job;
Worryingly, 12% of manufacturers have no systems or measures in place at all to defend against the threat of cyber-attack and the resulting disruption that it would cause.
Cyber-security however is more than just dealing with the threat of technology and control systems being compromised to inflict damage and financial loss on a company.
Cyber-attacks can result in a multitude of different outcomes, including but not limited to the theft of sensitive information, the loss of access to control and IT systems and the loss of competitive advantage through Industrial espionage.
There is also another information loss vector that is often overlooked and should be considered – “Competitive Intelligence”.
All information leakage, legal or otherwise, can potentially be damaging to your business. The first thing to make clear is that the practice of competitive intelligence is not in any way illegal. It is a legitimate and respected business intelligence function, that provides extremely valuable information for those companies using it and is for this reason being included in my definition of “threat”.
An interesting paper, “Are we being innovative enough with composites”, written by Alison McMillan, PhD (a consultant at WOT-I Ltd) and published at the SAMPE Europe conference last year, suggests how it would possible for a competitor to discover likely “technology insertion timeframes” in manufacturing companies.
The full paper can be accessed at the following link;
“Technology Insertion Timeframes” can be identified by analysing the number of patent applications and comparing them against the rate of publishing of those applications and then looking for the peak. The report illustrates how easy it can be to identify the timeframe of a product coming to market.
When combined also with sophisticated data analysis, Alison McMillan demonstrates that this form of competitive intelligence could be an extremely powerful and predictive tool.
From my own conversations with Dr McMillan. In the circumstances described above, Patent and IP protection, held in a small number of major customer countries is likely to be sufficient to protect IP for a product globally. This is not the case however for manufacturing processes.
In order to protect manufacturing processes, Dr McMillan observes that companies should consider expanding the number of countries bound by IP protection measures, to include as many countries as possible with the advanced manufacturing and design capability, to provide the greatest possible protection. Without such action, a determined competitor could analyse the patent(s) and simply move the manufacture of “their” competing product to a country with a high-tech manufacturing capability, where the patent is not in force – combining information from design data and inferred manufacturing processes to gain competitive advantage.
“In many cases keeping manufacturing processes secret can be a much more effective means as a protection strategy” [than relying on IP protection alone].
[There are cases where a patent can be a necessary option – it protects the original inventor from another company patenting the same idea, and thereby being excluded from using it]
– Alison McMillan.
The danger posed through the use of competitive intelligence analysis, the increasing use of cyber-attack, industrial espionage and the theft of intellectual property, to steal the lead on a competitor, makes the need for that target firm to secure its information more important than ever.
Without “active” measures to secure and protect information against these threats, the route to manufacture for competitors and foreign governments alike, becomes a much more achievable one.
So, how do you protect your IP and your manufacturing processes?
The way to protect your company and your IP is to implement an Information Security Management System (ISMS) within your organisation.
A tailored system, incorporating cyber / information security and business continuity should be simple, measurable and achievable. It will ensure you have robust, risk based defences, with appropriate measures, tools and systems to prevent information leakage or to deal with incidents when they occur.
Implementation of an Information Security Management System within your business, aligned with international standards such as ISO27001 for Information Security will ensure that all cyber and business resilience risks are identified and controlled appropriately. Protecting you, your organisation and your Intellectual Property from risk.
For information on how ESID Consulting can help you to defend against the cyber threat please contact us
at firstname.lastname@example.org or Tel +44 (0) 844 358 2362
Gary is CEO and Founder of ESID Consulting. An Insider Threat & Information Security consultancy.